Increasingly data driven, cloud first, Artificial Intelligence, Internet of Things and other such terms are being discussed in board rooms. In responsible organisations this inevitably leads to discussions around privacy and privacy risk management. No senior stakeholder wants to have a major data breach on their shift. Privacy risk management has long since been a topic of discussion, research and product development with formal privacy management frameworks being established over ten years ago. Yet data privacy breaches continue. Have these frameworks not evolved to cope with today’s data driven, cloud first digital strategies? or has the impact of data and digital disruption been so great that it is necessary to start building new frameworks from scratch?
Ten Years Earlier …
Federal Best Practices: Elements of a Federal Privacy Program, published in 2010 identified seven building blocks of a robust privacy program: (i) leadership, (ii) privacy risk management and compliance documentation, (iii) information security, (iv) incident response, (v) notice and redress for individuals, (vi) privacy training and awareness, (vii) accountability. Privacy Risk Management, Building privacy protection into a Risk Management Framework to ensure that privacy risks are managed by default, also published in 2010 by the Information and Privacy Commissioner Ontario, Canada is another example. This framework presented (i) context, (ii) risk identification (iii) risk analysis (iv) risk management (v) continuous improvement (vi) communication as the key concepts.
Then there is the Generally Accepted Privacy Principles, a finance sector driven initiative,publishedin 2009 by theAmerican Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA). This was created as a tool that accountants could use as they sought to manage privacy risks that their organisations, or those that they acted for, might be exposed to. This approach focused on the need to develop a clear set of privacy objectives and then to ensure that the processing of any personally identifiable information was compliant with those objectives.
All of the concepts used in those initiatives are still relevant today and although they may be packaged and presented differently they are present in some of the newer frameworks.
NIST Privacy Management Framework
The NIST Privacy Management Framework, published in January 2020, is the latest to be produced. It was developed in collaboration with a large number of stakeholders from a wide range of organisations including standards organisations such as ISO, HL7 and IEEE. Industry bodies such as the Interactive Advertising Bureau (IAB) and technology vendors including Microsoft have also contributed. Contributions were also provided by a number of regulatory authorities including Commission nationale de l'informatique et des libertés (CNIL) and the Norwegian Consumer Council. The scope and degree of collaborative inputs sought during the development of the framework makes this one of the most complete in terms of being able to support privacy professionals.
One of the framework’s key features is that the range of privacy activities and outcomes that organisations need to think about when developing their privacy programs are presented in five groups (core functions). Each function focuses on a specific outcome. IDENTIFY guides privacy professionals through the process of building an accurate picture of the risks associated with personal data used, or generated by, products and services provided to their customers. GOVERN ensures that the structures, policies and process required to operate in compliance with relevant regulations or mandates are developed. CONTROL and PROTECT focus on the detailed mechanics of ensuring that data processing follows the approach that has been designed and as a result of having completed relevant tasks within the INDENTFY and GOVERN functions. Finally, COMMUNICATE enables privacy professionals to ensure that information and awareness of the organisation’s privacy objectives are clear and easily accessible to relevant stakeholders.
Existing frameworks
To long term privacy practitioners the NIST framework may be perceived as yet another privacy framework to choose from. Whilst this may be the case NIST recognises, and supports, other frameworks that privacy professionals may already be working through a set of ‘cross walks’ which map its concepts to those in other frameworks such as the International Standards Organisation Privacy Information Management System (ISO/IEC 27701) or other regulatory regimes. The important point about the ‘cross walks’ is that it aides understanding of the how privacy concepts are treated across different standards. Organisations operating across multiple jurisdictions can more easily design privacy programs that are appropriate for all of their operations.
Adopting the NIST Framework
To support and encourage adoption NIST have provided some example scenarios but as organisations focus more on moving to the cloud insights published by the leading providers of cloud services are particularly useful. For example, an Amazon Web Services Security Blog - Privacy conscious cloud migrations: mapping the AWS Cloud AdoptionFramework to the NIST Privacy Frameworkdescribes how organisations moving applications and services to the AWS cloud can use the NIST privacy framework to support the privacy risk assessment component of the cloud adoption process and to ensure that the relevant privacy practices are implemented once cloud applications and services are in use.
The NIST Privacy Framework is still a work in progress. The next stages of its development, described in an associated roadmap, highlight the need to consider the challenges involved in protecting privacy where products and services include advanced and emerging technology. Another area of focus is how best to develop the privacy workforce so that the appropriate skills and roles are developed. But, perhaps the most challenging aspect of the roadmap is work that will need to be carried out in order to ensure that as the framework develops it remains aligned with a wide range of international regulations, standards and practices. #customerengagement